Computer Security Integrity

Computer security Integrity

Olivier Markowitch Hash functions

A hash function, h, converts a binary string of arbi- trary size into a fixed-size n-bit string

If the input size > n then collisions happen

1 Hash functions properties

Compression: converts a binary string of arbitrary size into a fixed-size n-bit string

computation efficiency: h(x) must be efficiently com- putable

2 Hash functions in cryptography

Hash functions are used in:

• manipulation detection codes (MDC): to manage data integrity

• message authentication codes (MAC): to manage data integrity and source authentication

MDCs are divided into two classes: one-way hash functions (OWHF) and collision resistant hash func- tions (CRHF)

3 Cryptographic hash functions

Cryptographic hash functions have additional proper- ties : let x and x0 be inputs and let y and y0 be the corresponding outputs

1. preimage resistance: for at most all output y of h(), it must be computationally infeasible to find a preimage x0 such that h(x0) = y

2. second preimage resistance: given x and y = h(x), it must be computationally infeasible to find a second preimage x0 6= x such that h(x) = h(x0)

3. collision resistance: it must be computationally infeasible to find two inputs x and x0 such that h(x) = h(x0)

4 Definitions

A one-way hash function (OWHF) is a hash function that respects the properties of preimage resistance and second preimage resistance

One-way hash functions are also called weak one-way hash functions

A collision resistant hash function (CRHF) is a hash function that respects the properties of second preim- age resistance and collision resistance

Collision resistant hash functions are also called strong one-way hash functions

5

Keyed and unkeyed hash functions

A message authentication code (MAC) is a functions hk() parameterized by a secret key k and that re- spects the following properties:

1. efficiency: for a known function hk(), given a value k and an input x, hk(x) is easy to compute

2. compression: hk() maps an input x of arbitrary finite soze to an output hk(x) of fixed length n

3. computation-resistance: for a value of k unknown to an adversary, given zero or more pairs (xi, hk(xi)), it is computationally infeasible to compute any pair (x, hk(x)) for any new input x 6= xi

Detection manipulation code (MDC) are unkeyed hash functions

7

Iterative hash function

h(x) = g(Ht)  H0 = initial value Hi = f(Hi−1, xi) with i ∈ [1, t]

x = x1 . . . xt with |xi| = r for i ∈ [1, t]

9 Hash function: ideal security

An unkeyed hash function that produces n-bit outputs is said to have an ideal security if:

1. given a hash output, producing a preimage or a second preimage requires approximately 2n op- erations

n 2. producing a collision requires approximately 22 operations

10 MDC in practice

Manipulation detection codes can be:

• build using a symmetric bloc cipher

11

MDC in practice

Manipulation detection codes can be:

• build using a symmetric bloc cipher

• customized hash functions: MD4, MD5, SHA-1, RIPEMD-160

15

MDC in practice

Manipulation detection codes can be:

• build using a symmetric bloc cipher

• customized hash functions: MD4, MD5, SHA-1, RIPEMD-160

• build using modular arithmetic: MASH-1

22

MAC in practice

Message authentication codes can be:

• build using symmetric bloc ciphers

24

CBC-MAC

If the optional part is not realized:

Let x a one-bloc input

Let M = CBC-MAC(x)

CBC-MAC(M) = CBC-MAC(x |0 ... 0) where | is the concatenation and where the size x |0 ... 0 is two blocs

26 MAC in practice

Message authentication codes can be:

• build using symmetric bloc ciphers

• build using MDC

27 MAC in practice

A MAC can be constructed from an MDC algorithm by including a secret key k as part of the MDC input

If the MDC follows an iterative construction

 H0 = initial value  Hi = f(Hi−1, xi) avec i ∈ [1, t]  h(x) = Ht

Then MAC(x) where x = x1 . . . xt can be build as hk(x) = h(k|x). This construction must be avoided

The construction hk(x) = h(x|k) can be dangerous if collisions can be found for the function h()

Therefore, it is suggested to compute hk(x) = h(k|x|k)

28 MAC in practice: HMAC

Let opad (outer padding) be a bloc = 0x5c5c5c5c5c

Let ipad (inner padding) be a bloc = 0x3636363636

HMAC(k, x) = h ((k ⊕ opad) |h ((k ⊕ ipad) |x))

29 MAC in practice

Message authentication codes can be:

• build using symmetric bloc ciphers

• build using MDC

• customized hash functions: MAA, MD5-MAC

30

Integrity

Data integrity ensures that a data has not been al- tered in an unauthorized manner (no matter that the data is stored or transmitted) data source authentication is based on a shared se- cret key (but the entities that share the secret key can not be distinguished)

When mechanisms that prevent reply attacks are used, we have transaction authentication

34 Integrity

Integrity can be obtained with:

• error detection/correction mechanisms

• message authentication code (MAC)

• manipulation detection code (MDC) used with an authenticated channel

• encryption

• MDC + encryption

• MAC + encryption

35

MAC+ encryption

hk(x) = Ek(x|hk0(x))

But, we have to avoid:

• k = k0

• hk0 = CBC-MAC without the optional part

• Ek = symmetric bloc encryption in CBC mode that is identical than the one used in the CBC- MAC

• same initial value in CBC-MAC and in Ek

37 Birthday paradox

When considering 23 people, the probability that at least two of them have their birthday on the same day (not taking into account the year of birth) is approxi- matively equal to 50 percent

38 Birthday paradox

Let h be a hash function, h : X → Z, where X and Z are finite sets such that |X| > |Z|. Let |X| = m and |Z| = n

Consider k messages xi ∈ X chosen randomly (with i ∈ [1, k]

What is the probability that two different xi have the same image (i.e. produce a collision)? zi = h(xi) for i ∈ [1, k]

We can consider that the zi are random values (what is reasonable when considering the output of a cryp- tographic hash function) since the xi are chosen ran- domly

39 Birthday paradox

The probability that all the zi are distinct is:

 1  2  k − 1 k−1  i  1 1 − 1 − ... 1 − = Y 1 − n n n i=1 n

 1 where 1 is the probability to draw z1, 1 − n is the  i  probability to draw z2 6= z1, ... , 1 − n is the prob- ability to draw a zi distinct from z1, . . . , zi−1

40 Birthday paradox

k−1   k−1 Y i Y − i 1 − ≈ e n i=1 n i=1

−x x2 x3 −x because e = 1 − x + 2! − 3! ... , and e ≈ 1 − x if x is small

i k here x = n with at most x = n and k ≤ n

i i −n Therefore: 1 − n ≈ e

41 Birthday paradox

k−1   ( 1) Y i −1 Pk−1 i − k− k 1 − ≈ e n i=1 = e 2n i=1 n because n n(n + 1) X i = i=1 2

42 Birthday paradox

Let P 0 be the probability that there is no collision, we have:

k−1 i Y 1 − = P 0 i=1 n

−(k−1)k P 0 ≈ e 2n

0 (k−1)k ln(P ) ≈ − 2n

2n ln(P 0) ≈ −(k − 1)k

2 ln( 1 ) 2 n P 0 ≈ k − k

2 ln( 1 ) 2 n P 0 ≈ k (by neglecting k in comparison with k2)

43 Birthday paradox

q 2 ln( 1 ) 2 2 ln( 1 ) n P 0 ≈ k , donc n P 0 ≈ k

Let P be the probability that there is at least one col- lission: P = 1 − P 0 q 1 2n ln(1−P ) ≈ k

1 If P = 2: q 2n ln(2) ≈ k

√ 1, 386n ≈ k

√ 1, 177 n ≈ k

√ k is in O( n)

44 Birthday paradox

If the outputs of a cryptographic hash function are on 64 bits (|Z| = 264), when testing 232 messages the 1 probability to find a collision surpasses 2

r More generally, if |Z| = 2r, when testing 22 mes- 1 sages the probability to find a collision surpasses 2

This explain the ideal security of cryptographic hash functions

45 Birthday paradox

If X = {humans} and Z = every 365 days (birth- √ days), |Z| = 365 = n, we have: 1, 177 n = √ 1, 177 365 ≈ 23

When considering 23 people, the probability to find two people out of the 23 that have their birthday the 1 same day surpasses 2

3 √ With P = 4, we have k ≈ 1, 66 n,, therefore if n = 365 we have k ≈ 32

With P = 99%, we have k ≈ 58

46